Friday, November 6, 2020

How to add and delete Static Routes on macOS (persistently)


● Problem


I have several networks at home, including 192.168.1.0/24 and 192.168.2.0/24. A problem occurred when I connected to a VPN site because it gives a route with 192.168.2.0/23. So my traffic on 192.168.2.0/24 routed through the VPN tunnel instead of my internal home network.

Therefore, I need to add a static route on my MacBook Pro.

● Solution


Here is how to add or delete a static route on macOS.

As you see below, I received the 192.168.2.0/23 route from the VPN, and it routes through the tunnel interface, utun3. First, disconnect the VPN and add a static route as described below.

To view the routing table:

You can use the following command "netstat -rn" and use 'grep' to filter with a specific network on the Terminal.

macOS:/Users/analysisman% netstat -rn | grep 192.168.2.
192.168.2/23 1.1.1.1 UGSc utun3



▶ Method 1. Add a static route temporarily


To add a static route:


macOS:/Users/analysisman% sudo route -n add -net 192.168.2.0/24 192.168.1.1
add net 192.168.2.0: gateway 192.168.1.1



To verify the route you added:


macOS:/Users/analysisman% netstat -rn | grep 192.168.2.
192.168.2 192.168.1.1 UGSc en10
192.168.2/23 1.1.1.1 UGSc utun3


Now, 192.168.2.0/24 routes through my Ethernet interface, en10.


To delete a static route:


macOS:/Users/analysisman% sudo route -n delete 192.168.2.0/24
Password:
delete net 192.168.2.0



▶ Method 2. Add a static route persistently


The above route will be gone if you reboot your Mac. You need to add a static route permanently if you want to keep this route persistently.


To verify the route your interface:


macOS:/Users/analysisman% ifconfig -a
…snipped…

en10: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=6407<RXCSUM,TXCSUM,VLAN_MTU,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM>
ether 00:24:9b:33:44:55
inet6 fe80::3f:e0d:4455:1ebe%en10 prefixlen 64 secured scopeid 0xb
inet 192.168.1.103 netmask 0xffffff00 broadcast 192.168.1.255
nd6 options=201<PERFORMNUD,DAD>
media: autoselect (1000baseT <full-duplex>)



To list devices (network adapters):


macOS:/Users/analysisman% networksetup -listallnetworkservices

An asterisk (*) denotes that a network service is disabled.
FT232R USB UART
USB 10/100/1000 LAN 2
USB 10/100/1000 LAN
USB 10/100/1000 LAN 3
USB 10/100/1000 LAN 4
USB 10/100/1000 LAN 5
Belkin USB-C LAN
Wi-Fi
iPhone USB 2
Bluetooth PAN
Thunderbolt Bridge
GlobalProtectDo
GlobalProtectDo 2


Or

To list devices with the interface number:


I prefer this command because it also shows the ethernet number (e.g. en10).

macOS:/Users/analysisman% networksetup -listnetworkserviceorder

An asterisk (*) denotes that a network service is disabled.
(1) FT232R USB UART
(Hardware Port: FT232R USB UART, Device: usbserial-AI06J8P5)

(2) USB 10/100/1000 LAN 2
(Hardware Port: USB 10/100/1000 LAN, Device: en8)

(3) USB 10/100/1000 LAN
(Hardware Port: USB 10/100/1000 LAN, Device: en10)



To add a static route permanently:


Usage:
networksetup -setadditionalroutes <networkservice> [ <dest> <mask> <gateway> ]*

macOS:/Users/analysisman% sudo networksetup -setadditionalroutes "USB 10/100/1000 LAN" 192.168.2.0 255.255.255.0 192.168.1.1


To verify the route you added:


macOS:/Users/analysisman% netstat -rn | grep 192.168.2.
192.168.2 192.168.1.1 UGSc en10


To delete this permanent route:


Use sudo networksetup -setadditionalroutes interface-name without the address, netmask, and gateway.

macOS:/Users/analysisman% sudo networksetup -setadditionalroutes "USB 10/100/1000 LAN"


To see all commands:


networksetup -help
Or
networksetup -printcommands


10 comments:

  1. Hi AnalysisMan

    Would you be able to help me with where/which file stores the route information that is displayed when we execute netstat -ln

    Regards
    Vinay Chandran

    ReplyDelete
  2. I refer to this page every so often, I appreciate you keeping this up. Very helpful!

    ReplyDelete
  3. Thanks for this post. It was very useful. Just my additional 2 cents -

    We can also get the configured permanent static routes using: networksetup -getadditionalroutes "USB 10/100/1000 LAN" .

    Also, if we want to add multiple routes permanently then we can add additional tuples on the same command. Eg., sudo networksetup -setadditionalroutes "Wi-Fi" 192.168.230.0 255.255.255.0 192.168.20.82 192.168.68.0 255.255.255.0 192.168.20.82

    ReplyDelete
  4. This comment has been removed by the author.

    ReplyDelete
  5. I'm doing something wrong. I work from home and connect to my company's VPN. I need an SMB connection to our file server, which has the IP 192.168.2.108. VPN My network at home has the IP 192.168.68.1. Tunnel Interface is utun3.

    When I run the command
    sudo networksetup -setadditionalroutes "VPN Work" 192.168.2.108 255.255.255.0 192.168.68.1
    my browser traffic goes through the VPN instead of my home network.
    What am I doing wrong?

    ReplyDelete
  6. This comment has been removed by the author.

    ReplyDelete
  7. I run a bittorent server for openSource Linux distros. Over time I have manually blocked literally thousands of leachers and downloaders who I do not want to have access my system, as well as blocking 10s of 1,000s of botnets by firewalls. I have migrated my firewall settings to static routes blocked and the performance is much better.

    I'm just having trouble consistently adding ip6 addresses to be blocked.

    Beforehand, I enter the thousands of addresses I have collected to be blocked into JSON array lookup tables, to be accessed by a python script that reads them and inserts them into an iterating command line by nested for-loops.

    I always debug by entering the command first on a command line before automating the process.

    Example:

    I have been trying to set a permanent static route on my Mac using:
    networksetup -setadditionalroutes "Ethernet" 2408:8266:: ffff:ffff:fffc:0000:0000:0000:0000:0000 ::1
    which returns:
    Route destination 2408:8266:: is not a valid IP address. ** Error: The parameters were not valid. ≈≈≈ That is not true as it is the top address of the CHINA UNICOM China169 Backbone server, from which I get scores of leachers and people who try to get past my firewall.

    as well as trying:
    ifconfig en0 inet6 2408:8266:: prefixlen 32 alias
    which blocks everything in 2408:8266::/32 except 2408:8266:: itself.

    My question is a) can networksetup -setadditionalroutes accept ip6 addresses and how?
    b) if not, can ifconfig block the root address of 2408:8266::/32?

    I would prefer a network setup solution because they much easier to clear than ifconfig ones. Removing ifconfig entries can take hours, one and a time whereas networksetup just clears the service by name (Ethernet, WiFi, VPN) in moments

    On a parallel theme, is there away to wipe all the static route entries from my Mac, especially those put in by ifconfig in one fell swoop so I can re-enter them cleanly?

    Help is much appreciated.

    ReplyDelete